Introduction - HCISSP Study Guide (2015)

HCISSP Study Guide (2015)

Chapter 1. Introduction


This chapter provides an overview of the importance of information security and privacy, the target audience for the book, HealthCare Information Security and Privacy Practitioner (HCISPP) certification requirements, and learning objectives.



HCISPP requirements

Target audience

Learning objectives

This chapter will help readers understand

Importance of information security and privacy

Target audience

HealthCare Information Security and Privacy Practitioner (HCISPP) certification requirements

Learning objectives


The importance of security and privacy is rapidly increasing across all industries, especially given a recent acceleration in public data breach and record disclosures. As this book was composed the public has witnessed large breaches within the retail industry involving stolen credit card and personal information. At first glance one might discard this type of threat as not applicable to healthcare organizations given their core business involves the delivery of patient care. In many cases they might be wrong given patients regularly pay for healthcare services using a credit or debit card, the massive amount of personal health information (PHI) within the organization, a significant increase in the use of health information technology (which creates additional privacy and security risk), and PHI being shared outside organizational boundaries with third parties to support the delivery of healthcare services. Healthcare organizations will need qualified risk management professionals to assist with managing the broad array of risks faced within the industry. The HCISPP certification is for individuals who want to understand how to assess risk and implement and maintain security and privacy controls specific to the healthcare industry while being compliant with the many laws and regulations that govern the healthcare industry. Individuals with certifications such as the HCISPP are more likely to be selected for job interviews based on the immediate recognition of an industry certification and the qualifications it conveys. Since the exam details are subject to change, per (ISC)2, we encourage candidates to obtain the most current HCISPP Candidate Information Bulletin available from (ISC)2 prior to beginning their exam preparation. Candidates may require a deeper understanding of some concepts discussed throughout this book depending on the nature of their current or future roles, educational background, and work experience in each of the specific HCISPP exam domains. However, this book was written to provide a foundational level of knowledge and teach candidates only what is necessary to pass the HCISPP examination – nothing more, nothing less. Consider this the first step in a journey, as a security and privacy practitioner in the healthcare industry. Since the healthcare industry, the technology that supports it, and the laws and regulations that govern it continuously change we encourage HCISPP candidates and certificate holders to actively participate in the industry, stay abreast of changes, and commit to continuing education and gaining new experiences. The examination and this book focus on six key domains of knowledge:

Healthcare industry

Regulatory environment

Privacy and security in healthcare

Information governance and risk management

Information risk assessment

Third-party risk management

Individuals who may want to consider obtaining a HCISPP certification include, but are not limited to:

Information security analysts

Information security officers (CSO, CISO, ISO)

Privacy officers (CPO)

Compliance officers (CCO)

Records management personnel

Information technology managers

Security and privacy consultants

Risk management personnel

Internal and external auditors

Data protection officers

Health information managers

HCISPP Certification Requirements

Prior to taking the HCISPP examination, candidates must meet the following requirements:

Register for the exam and pay the examination fee. The most current fees are available at

Have a minimum of 2 years’ security, privacy, and compliance experience in one of the six knowledge domains. At least 1 year of experience is required in one of the following three domains:

Healthcare industry

Regulatory environment in healthcare

Privacy and security in healthcare

The second year of experience can be in the domains mentioned earlier or in one of the following three domains:

Information governance and risk management

Information risk assessment

Third-party risk management

Legal and information management experience may also be substituted for compliance and privacy experience, respectively.

Provide a truthful attestation of professional experience and legally agree to abide by the Code of Ethics; and

Provide yes or no responses to four questions pertaining to criminal history and background.

Exam Registration

The exam is computer-based (CBT) and proctored at an authorized location, while paper-based exams are available on a case-by-case basis. The exam will consist of 125 multiple choice questions with 4 potential choices and must be completed in 3 h. Candidates should ensure sufficient rest prior to the examination, and if traveling from outside the area, consider staying at a hotel close to the testing facility the night beforehand. Registration for the exam can be completed online through the (ISC)2 website or over the phone and requires payment of the exam fee, agreement to the Code of Ethics, and responses to criminal history and background questions.

Code of Ethics

The Code of Ethics includes a preamble and four cannons focused on ethics. All professionals who receive an HCISPP certification must abide by the Code, recognize their certification is a privilege (not a right), and understand the certification is subject to revocation for members who intentionally or knowingly violate the Code.


The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. Therefore, strict adherence to this Code is a condition of certification.

Code of Ethics Cannons

Protect society, the common good, necessary public trust and confidence, and the infrastructure.

Act honorably, honestly, justly, responsibly, and legally.

Provide diligent and competent service to principals.

Advance and protect the profession.